[jira] [Commented] (AMBARI-25172) XSS - cross site scripting vulnerability

Thu, 14 Mar 2019 06:01:28 -0700 


    [ 
https://issues.apache.org/jira/browse/AMBARI-25172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792617#comment-16792617
 ] 

Hudson commented on AMBARI-25172:
---------------------------------

FAILURE: Integrated in Jenkins build Ambari-branch-2.6 #721 (See 
[https://builds.apache.org/job/Ambari-branch-2.6/721/])
AMBARI-25172. XSS - cross site scripting vulnerability (aantonenko: 
[https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=c902b0d748ece735ea5ececd713c0ff6f475163e])
* (edit) ambari-web/app/utils/validator.js
* (edit) 
ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
* (edit) ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
* (edit) ambari-web/app/messages.js
* (edit) 
ambari-web/app/controllers/main/service/widgets/create/step2_controller.js


> XSS - cross site scripting vulnerability
> ----------------------------------------
>
>                 Key: AMBARI-25172
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25172
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.6.2
>            Reporter: Abdu Sahin
>            Assignee: Antonenko Alexander
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: 2.6.patch, 2.7.patch, Screen Shot 2019-02-27 at 
> 12.28.14.png
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> I noticed there are some  web pages in Ambari Console vulnerable to XSS 
> attack where attacker can perform a variety of actions: steal user's cookies, 
> modify webpage contents, and perform operations with the site within user's 
> session.
> *Steps to reproduce !Screen Shot 2019-02-27 at 12.28.14.png!*
> Step1: Login into the application.
> Step2: Go to Services -> YARN (you can select any service here).
> Step3: Select any existing widget in Metrics section and click on edit.
> Step 4: Click on edit
> Step 5: In the name field box, enter value “<img src=X onerror=alert(22)>”
> Step6: Click on Next button and then save button.
> Step 7: XSS popup will trigger once the summary page is refreshed.
> *Note:* Create widget page is also vulnerable.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to